{ inputs, ... }:

{
  imports = [
    ./hardware-configuration.nix
    ./disk-config.nix
    ../../configs/mcpkg.nix
    ../../configs/mcp.nix
  ];

  config = {
    # FIDO2 LUKS unlock (matches vade setup)
    boot.initrd.luks.devices."crypted".crypttabExtraOpts = [
      "fido2-device=auto"
      "token-timeout=10"
    ];

    # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;

    # Open ports: DNS (53), mc-proxy (443, 8443, 9443), exod (8080, 9090).
    networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
    networking.firewall.allowedUDPPorts = [ 53 ];

    # Route internal Metacircular zones to rift's own CoreDNS.
    networking.nameservers = [ "192.168.88.181" ];
    services.resolved.domains = [ "~mcp.metacircular.net" ];
  };
}